Nice work! Angelboy & TwinkleStar03 (@scwuaptx & @_twinklestar03) of DEVCORE Research Team + DEVCORE Internship Program was able to exploit Microsoft Windows 11! If confirmed, they win $30,000 and 3 Master of Pwn points. They're off to the disclosure room to explain how they did it. #Pwn2Own #P2OBerlin

@lina Proper automation has an upfront cost, and I think this is what ppl try to avoid. It's not uncommon that people wait for frontier models to get better at deciding on logical conditions instead of writing two if's...

I worked at a fairly big tech co years before the AI boom. People did large scale refractoring across huge code bases back then. With refactoring tools. And properly written robots.

Applying changes to code at scale, opening PRs automatically, basic interaction with human reviewers, making sure tests pass, getting things merged when ready. All that already existed before LLMs. And it was actually reliable and not capable of hallucinating terrible things.

It's like we've forgotten how to automate things without LLMs and openclaw now...

Amaze! Amaze! Amaze! Orange Tsai of DEVCORE Research Team was able to exploit Edge with a sandbox escape! If confirmed, we wins $175K. He's off to the disclosure room to explain how he did it. #Pwn2Own #P2OBerlin

Boom! Valentina Palmiotti wastes no time kicking off #Pwn2Own Berlin in style. She requires just a few second to get code execution on the NV Container Toolkit. She heads off to the disclosure room to provide all the details.

I have published #Diaphora 3.4.0. Now you can install it in IDA by just running this:

$ hcli plugin install diaphora

https://github.com/joxeankoret/diaphora/releases/tag/3.4.0

A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens https://projectzero.google/2026/05/pixel-10-exploit.html

@davidgerard headline of the day :D

Google replaces your PC mouse with yelling at Gemini

‘reimagining’ the mouse pointer

https://www.youtube.com/watch?v=NSWCWnLMj-U&list=UU9rJrMVgcXTfa8xuMnbhAEA - video
https://pivottoai.libsyn.com/20260513-google-replaces-your-mouse-with-yelling-at-gemini - podcast

time: 5 min 38 sec

https://pivot-to-ai.com/2026/05/13/google-replaces-your-pc-mouse-with-yelling-at-gemini/ - blog post

#Ghidra 12.1 is out, changes:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_12.1_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md

My first contribution (#6827) landed after *checks notes* 19 months :D

@sassdawe "If a man promises to fix something, he'll fix it. No need to remind him every year!"

Hey nerds!

I made a thing!

It's a "chore tracker*, but I took a somewhat unique take on the subject 🙈

It tracks when did you last completed a chore and how close are you to the desired frequency you set for that particular chore.

You can access it here: https://chores-mvp.azurewebsites.net/

There is #privacy policy as well. I hope it will answer most of the questions.

You can self-host it if you're into that sort of things, get it from GitHub: https://github.com/sassdawe/chores

Design goal #1: when popular and eventually hacked leading to user info being leaked @troyhunt should only be able to say: can't add it to HiBP because there is no email address anywhere. ✅

Design goal #2: No passwords because they are bad for security. ✅

Design goal #3: make the users the Most Valuable Partner in doing the Chores. ✅👀

PS: And let me know whether you played around with the Demo and did it spark joy?

@ifin s/with ASLR/without ASLR/

The Junkyard Call for Bugs is officially open! 👾
www.districtcon.org/junkyard

For additional information, please reference our Disclosure Guidance doc: lnkd.in/ewjswJyf

And if you missed last years presentations, check them out on YouTube now: https://www.youtube.com/@DistrictCon/shorts

Officially lost track of Linux page cache LPE's - see also: "cache invalidation and naming things":

https://github.com/v12-security/pocs/tree/main/fragnesia

This is CVE-2026-46300

@buherator @christopherkunz @jhr77
Also note that the RedSun author noticed that the vulnerability was fixed, without a CVE

Edit: The RedSun author is wrong. It still works fine

Missing peripheral in QEMU? Adding it yourself is easier than you think.

We hit a wall analyzing CVE-2019-14192 on real Raspberry Pi 3B+ firmware, so we added the missing driver to #QEMU. Register by register, using U-Boot's own source as the spec.

🔗 http://www.eshard.com/blog/u-boot-cve-tta-qemu-part-2

#QEMU #Cybersecurity #firmware #uboot

@icing Don't give them ideas!

When you hear people abandoning Open Source because of the AI exploit threat, ask them if we should keep our laws secret as well.

Because there is a huge industry of accountants and lawyers specialized in finding exploits in those.

No? Thought so.